lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 13 Oct 2017 13:02:38 +0800
From:   Liang Chen <liangchen.linux@...il.com>
To:     Michael Lyle <mlyle@...e.org>
Cc:     linux-bcache@...r.kernel.org, Coly Li <i@...y.li>,
        Kent Overstreet <kent.overstreet@...il.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] bcache: safeguard a dangerous addressing in closure_queue

On Fri, Oct 13, 2017 at 1:44 AM, Michael Lyle <mlyle@...e.org> wrote:
> On 10/12/2017 07:37 AM, Liang Chen wrote:
>> The use of the union reduces the size of closure struct by taking advantage
>> of the current size of its members. The offset of func in work_struct equals
>> the size of the first three members, so that work.work_func will just
>> reference the forth member - fn.
>>
>> This is smart but dangerous. It can be broken if work_struct or the other
>> structs get changed, and can be a bit difficult to debug.
>>
>> Signed-off-by: Liang Chen <liangchen.linux@...il.com>
>
> So the objective here is to make sure that struct work_struct and the
> anonymous struct remain identical?  I agree that's a potential problem
> for future maintenance.
>
> Could we use BUILD_BUG_ON with offsets and sizes to do the same, to get
> compile-time checking and avoid doing anything at runtime (I know the
> compiler can usually omit the BUG but better to be safe)?  Otherwise a
> kernel that triggered this problem would compile, and it'd only be if
> someone actually used bcache that it would trigger.
>
> Mike

Yeah, the objective here is to make sure the offset of func and fn remains the
same so cl->work.func will just reference cl->fn.

Sure, BUILD_BUG_ON will do the work, and can capture the problem at compile
time. Thanks for the reminding! I will submit another patch soon.

Thanks,
Liang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ